Lucene search

K
cvelistWPScanCVELIST:CVE-2021-24915
HistoryNov 29, 2021 - 8:25 a.m.

CVE-2021-24915 Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

2021-11-2908:25:50
CWE-89
WPScan
www.cve.org

0.397 Low

EPSS

Percentile

97.3%

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address

CNA Affected

[
  {
    "product": "Contest Gallery – Photo Contest Plugin for WordPress",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "13.1.0.6",
        "status": "affected",
        "version": "13.1.0.6",
        "versionType": "custom"
      }
    ]
  }
]

0.397 Low

EPSS

Percentile

97.3%

Related for CVELIST:CVE-2021-24915